diff --git a/windows/access-protection/credential-guard/credential-guard-manage.md b/windows/access-protection/credential-guard/credential-guard-manage.md
index ee1efd2463..f54174f44c 100644
--- a/windows/access-protection/credential-guard/credential-guard-manage.md
+++ b/windows/access-protection/credential-guard/credential-guard-manage.md
@@ -7,7 +7,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: high
author: brianlic-msft
-ms.date: 08/17/2017
+ms.date: 01/12/2018
---
# Manage Windows Defender Credential Guard
@@ -123,9 +123,9 @@ DG_Readiness_Tool_v3.2.ps1 -Ready
> [!NOTE]
-For client machines that are running Windows 10 1703, LSAIso is running whenever Virtualization based security is enabled for other features.
+For client machines that are running Windows 10 1703, LsaIso.exe is running whenever virtualization-based security is enabled for other features.
-- If Windows Defender Credential Guard is enabled on a device after it's joined to a domain, the user and device secrets may already be compromised. We recommend that Windows Defender Credential Guard should be enabled before the PC is joined to a domain.
+- We recommend enabling Windows Defender Credential Guard before a device is joined to a domain. If Windows Defender Credential Guard is enabled after domain join, the user and device secrets may already be compromised. In other words, enabling Credential Guard will not help to secure a device or identity that has already been compromised, which is why we recommend turning on Credential Guard as early as possible.
- You should perform regular reviews of the PCs that have Windows Defender Credential Guard enabled. This can be done with security audit policies or WMI queries. Here's a list of WinInit event IDs to look for:
- **Event ID 13** Windows Defender Credential Guard (LsaIso.exe) was started and will protect LSA credentials.
diff --git a/windows/access-protection/credential-guard/credential-guard-requirements.md b/windows/access-protection/credential-guard/credential-guard-requirements.md
index 5bea794664..d3be3e2ba8 100644
--- a/windows/access-protection/credential-guard/credential-guard-requirements.md
+++ b/windows/access-protection/credential-guard/credential-guard-requirements.md
@@ -7,7 +7,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: high
author: brianlic-msft
-ms.date: 08/17/2017
+ms.date: 01/12/2018
---
# Windows Defender Credential Guard: Requirements
@@ -73,6 +73,8 @@ Applications will prompt and expose credentials to risk if they require:
Applications may cause performance issues when they attempt to hook the isolated Windows Defender Credential Guard process.
+Services or protocols that rely on Kerberos, such as file shares, remote desktop, or BranchCache, continue to work and are not affected by Windows Defender Credential Guard.
+
See this video: [Credentials Protected by Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
diff --git a/windows/access-protection/remote-credential-guard.md b/windows/access-protection/remote-credential-guard.md
index 7bb6243266..e5ef6bfcf2 100644
--- a/windows/access-protection/remote-credential-guard.md
+++ b/windows/access-protection/remote-credential-guard.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
-ms.date: 08/28/2017
+ms.date: 01/12/2018
---
# Protect Remote Desktop credentials with Windows Defender Remote Credential Guard
@@ -83,7 +83,7 @@ To use Windows Defender Remote Credential Guard, the Remote Desktop client and r
The Remote Desktop client device:
-- Must be running at least Windows 10, version 1703 to be able to supply credentials.
+- Must be running at least Windows 10, version 1703 to be able to supply credentials.
- Must be running at least Windows 10, version 1607 or Windows Server 2016 to use the user’s signed-in credentials. This requires the user’s account be able to sign in to both the client device and the remote host.
- Must be running the Remote Desktop Classic Windows application. The Remote Desktop Universal Windows Platform application doesn't support Windows Defender Remote Credential Guard.
- Must use Kerberos authentication to connect to the remote host. If the client cannot connect to a domain controller, then RDP attempts to fall back to NTLM. Windows Defender Remote Credential Guard does not allow NTLM fallback because this would expose credentials to risk.
@@ -162,7 +162,7 @@ mstsc.exe /remoteGuard
- Windows Defender Remote Credential Guard does not support compound authentication. For example, if you’re trying to access a file server from a remote host that requires a device claim, access will be denied.
-- Windows Defender Remote Credential Guard cannot be used to connect to a device that is not domain-joined to Active Directory, for example, remote hosts joined to Azure Active Directory.
+- Windows Defender Remote Credential Guard can be used only when connecting to a device that is joined to a Windows Server Active Directory domain, including AD domain-joined servers that run as Azure virtual machines (VMs). Windows Defender Remote Credential Guard cannot be used when connecting to remote devices joined to Azure Active Directory.
- Remote Desktop Credential Guard only works with the RDP protocol.
diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index 76543bd50f..7ee6468dd6 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -10,7 +10,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 01/08/2018
+ms.date: 01/12/2018
---
# What's new in MDM enrollment and management
@@ -1037,6 +1037,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
DeviceGuard/EnableVirtualizationBasedSecurity
DeviceGuard/RequirePlatformSecurityFeatures
DeviceGuard/LsaCfgFlags
+DeviceLock/MinimumPasswordAge
ExploitGuard/ExploitProtectionSettings
Games/AllowAdvancedGamingServices
Handwriting/PanelDefaultModeDocked
@@ -1085,8 +1086,10 @@ For details about Microsoft mobile device management protocols for Windows 10 s
Education/PrinterNames
Search/AllowCloudSearch
Security/ClearTPMIfNotReady
+Settings/AllowOnlineTips
Start/HidePeopleBar
Storage/AllowDiskHealthModelUpdates
+System/DisableEnterpriseAuthProxy
System/LimitEnhancedDiagnosticDataWindowsAnalytics
Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork
Update/DisableDualScan
@@ -1495,6 +1498,12 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
WindowsDefenderSecurityCenter/HideSecureBoot
WindowsDefenderSecurityCenter/HideTPMTroubleshooting
+Added the following policies the were added in Windows 10, version 1709
+
+- DeviceLock/MinimumPasswordAge
+- Settings/AllowOnlineTips
+- System/DisableEnterpriseAuthProxy
+
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index 06bc214f80..ad98eba42b 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 11/17/2017
+ms.date: 01/12/2018
---
# Policy CSP
@@ -950,6 +950,9 @@ The following diagram shows the Policy configuration service provider in tree fo
DeviceLock/MinDevicePasswordLength
+
+ DeviceLock/MinimumPasswordAge
+
DeviceLock/PreventLockScreenSlideShow
@@ -2582,6 +2585,9 @@ The following diagram shows the Policy configuration service provider in tree fo
Settings/AllowLanguage
+
+ Settings/AllowOnlineTips
+
Settings/AllowPowerSleep
diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md
index a23b509f96..b056313e5a 100644
--- a/windows/client-management/mdm/policy-csp-devicelock.md
+++ b/windows/client-management/mdm/policy-csp-devicelock.md
@@ -6,11 +6,13 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/14/2017
+ms.date: 01/12/2018
---
# Policy CSP - DeviceLock
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
@@ -61,6 +63,9 @@ ms.date: 12/14/2017
DeviceLock/MinDevicePasswordLength
+
+ DeviceLock/MinimumPasswordAge
+
DeviceLock/PreventLockScreenSlideShow
@@ -115,7 +120,6 @@ ms.date: 12/14/2017
> [!NOTE]
> This policy must be wrapped in an Atomic command.
-
The following list shows the supported values:
@@ -918,6 +922,60 @@ The number of authentication failures allowed before the device will be wiped. A
+**DeviceLock/MinimumPasswordAge**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+  |
+  3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+This security setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow changes immediately by setting the number of days to 0.
+
+The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998.
+
+Configure the minimum password age to be more than 0 if you want Enforce password history to be effective. Without a minimum password age, users can cycle through passwords repeatedly until they get to an old favorite. The default setting does not follow this recommendation, so that an administrator can specify a password for a user and then require the user to change the administrator-defined password when the user logs on. If the password history is set to 0, the user does not have to choose a new password. For this reason, Enforce password history is set to 1 by default.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
**DeviceLock/PreventLockScreenSlideShow**
diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md
index 00ffefca84..eae7e34484 100644
--- a/windows/client-management/mdm/policy-csp-settings.md
+++ b/windows/client-management/mdm/policy-csp-settings.md
@@ -6,11 +6,13 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
-ms.date: 12/14/2017
+ms.date: 12/19/2017
---
# Policy CSP - Settings
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
@@ -34,6 +36,9 @@ ms.date: 12/14/2017
Settings/AllowLanguage
+
+ Settings/AllowOnlineTips
+
Settings/AllowPowerSleep
@@ -313,6 +318,57 @@ The following list shows the supported values:
+**Settings/AllowOnlineTips**
+
+
+
+
+ | Home |
+ Pro |
+ Business |
+ Enterprise |
+ Education |
+ Mobile |
+ Mobile Enterprise |
+
+
+ |
+ 3 |
+ 3 |
+ 3 |
+ 3 |
+ |
+ |
+
+
+
+
+
+[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+> [!div class = "checklist"]
+> * Device
+
+
+
+
+
+Enables or disables the retrieval of online tips and help for the Settings app.
+
+If disabled, Settings will not contact Microsoft content services to retrieve tips and help content.
+
+
+
+
+
+
+
+
+
+
+
+
+
**Settings/AllowPowerSleep**
diff --git a/windows/deployment/planning/windows-10-enterprise-faq-itpro.md b/windows/deployment/planning/windows-10-enterprise-faq-itpro.md
index f0ce9a70f4..6780c3b222 100644
--- a/windows/deployment/planning/windows-10-enterprise-faq-itpro.md
+++ b/windows/deployment/planning/windows-10-enterprise-faq-itpro.md
@@ -43,6 +43,7 @@ For many devices, drivers will be automatically installed in Windows 10 and ther
- [HP driver pack](http://www8.hp.com/us/en/ads/clientmanagement/drivers-pack.html)
- [Dell driver packs for enterprise client OS deployment](http://en.community.dell.com/techcenter/enterprise-client/w/wiki/2065.dell-command-deploy-driver-packs-for-enterprise-client-os-deployment)
- [Lenovo Configuration Manager and MDT package index](https://support.lenovo.com/us/en/documents/ht074984)
+ - [Panasonic Driver Pack for Enterprise](http://pc-dl.panasonic.co.jp/itn/drivers/driver_packages.html)
### Where can I find out if an application or device is compatible with Windows 10?